Device for and Method of Handling Sensitive Data

1. An integrated circuitry to securely exchange data with another integrated circuitry, comprising: a persistent memory area to store sensitive data; a data transferer to receive the sensitive data from a trust zone of the other integrated circuitry, wherein said persistent memory area is adapted to store the sensitive data received through said data transferer, and wherein said data transferer is adapted to send the sensitive data stored in the persistent memory area to the trust zone of the other integrated circuitry; a cryptographic engine to decrypt the sensitive data received from the other integrated circuitry and encrypt the sensitive data to be sent and stored in the persistent memory area based on a symmetrical crypto method using an active secure key; wherein the integrated circuitry is separated from the other integrated circuitry, and wherein a trust zone separate from the trust zone of the other integrated circuitry is formed by the integrated circuitry, the said trust zone of the integrated circuitry comprising a key generator to generate a new secure key after power up in order to replace the active secure key.

2. A device to handle sensitive data comprising at least one first integrated circuitry to form a first trust zone and at least one second integrated circuitry to form a second trust zone, wherein the second integrated circuitry comprises: a persistent memory area located within said second trust zone to store the sensitive data; a second data transferer to receive sensitive data from the at least one first integrated circuitry, wherein said persistent memory area is adapted to store the sensitive data received through said second data transferer, and wherein said second data transferer is adapted to send the sensitive data stored in the persistent memory area to the at least one first integrated circuitry; a second cryptographic engine to decrypt the sensitive data received from the at least one first integrated circuitry and encrypt the sensitive data stored in the persistent memory area based on a symmetrical crypto method using an active secure key; and a second key generator to initiate a generation of a new secure key after power up to replace the active secure key, wherein the first integrated circuitry comprises at least one secure processing unit adapted to process the sensitive data, wherein the first integrated circuitry is separated from the second integrated circuitry, and wherein the secure processing unit of the first integrated circuitry is adapted to transfer the sensitive data from the first trust zone to the second trust zone to securely store said sensitive data in the persistent memory area of the second trust zone, and wherein the second integrated circuitry is adapted to transfer the sensitive data stored in the persistent memory area to the secure processing unit of the first trust zone, and wherein the first integrated circuitry comprises a first cryptographic engine to securely transfer the sensitive data based on the symmetrical crypto method using the active secure key which is replaceable by the new secure key generated by the second integrated circuitry after power up.

3. The device according to claim 2 , wherein the second cryptographic engine is used to securely transfer a new generated key from the second integrated circuitry to the first integrated circuitry.

4. The device according to claim 2 , wherein the first and second integrated circuitries comprise a secret one-time programmable power-on key, said power-on key being used to securely transfer, from the second integrated circuitry to the first integrated circuitry, the said new secure key generated by the second integrated circuitry after power up, wherein the one-time programmable power-on key in the second integrated circuitry is stored in the persistent memory area of the second integrated circuitry.

5. The device according to claim 2 , wherein the first integrated circuitry comprises a first key generator.

6. The device according to claim 2 , wherein the second key generator is adapted to initiate a new secure key generation after each transfer of the sensitive data from at least one of the first integrated circuitry to the second integrated circuitry and/or after each transfer of the sensitive data from the second integrated circuitry to the first integrated circuitry.

7. The device according to claim 2 , wherein the second key generator of the second integrated circuitry comprises a random number generator to generate a secure key on the basis of a random number.

8. The device according to claim 2 , wherein the persistent memory area of the second integrated circuitry is a tamper-resistant non-volatile or a tamper-resistant battery back-uped memory.

9. A method to securely transfer sensitive data bidirectionally between at least one first integrated circuitry and at least one second integrated circuitry, wherein the first integrated circuitry is separated from the second integrated circuitry, wherein at least one processing unit of the first integrated circuitry is adapted to process the sensitive data and to transfer the sensitive data from a first trust zone of the first integrated circuitry to a trust zone of the second integrated circuitry separate from the first trust zone, wherein the second integrated circuitry is adapted to transfer the sensitive data stored in the persistent memory device of the second integrated circuitry to the at least one processing unit of the first integrated circuitry, wherein the first integrated circuitry comprises a first cryptographic engine to securely transfer the sensitive data based on a symmetrical crypto method using an active secure key which is replaceable by a new secure key, the method comprising: storing the sensitive data received from at least one processing unit of the first integrated circuitry to a persistent memory device of the second integrated circuitry, wherein the persistent memory device is adapted to store the sensitive data received through a data transferer of the second integrated circuitry; decrypting, by a cryptographic engine of the second integrated circuitry, the sensitive data received from the at least one processing unit of the first integrated circuitry using an active secure key; encrypting, by the cryptographic engine of the second integrated circuitry, the sensitive data to be sent and being stored in the persistent memory device of the second integrated circuitry using the active secure key; and generating, by a key generator of the second integrated circuitry, a new secure key after power up and replacing the active secure key by the new secure key.

10. The method according to claim 9 , further comprising decrypting and encrypting a key exchange of the new secure key from the persistent memory device to the at least one processing unit using the active secure key.

11. The method according to claim 9 , further comprising decrypting and encrypting a key exchange from the persistent memory device to the at least one processing unit after power up using a secret one-time programmable power-on key used as an initial secure key.

12. The method according to claim 9 , further comprising generating the new secure key or initiating a key exchange using the persistent memory device after each data transfer of the sensitive data from the at least one processing unit to the persistent memory device and/or from the persistent memory device to the at least one processing unit.

13. A gambling machine, comprising at least one first integrated circuitry to form a first trust zone and at least one second integrated circuitry to form a second trust zone, said second integrated circuitry comprising: a persistent memory area located within said second trust zone to store the sensitive data; a second data transferer to receive sensitive data from the at least one first integrated circuitry, wherein said persistent memory area is adapted to store the sensitive data received through said second data transferer, and wherein said second data transferer is adapted to send the sensitive data stored in the persistent memory area to the at least one first integrated circuitry; a second cryptographic engine to decrypt the sensitive data received from the at least one first integrated circuitry and encrypt the sensitive data stored in the persistent memory area based on a symmetrical crypto method using an active secure key; and a second key generator to initiate a generation of a new secure key after power up to replace the active secure key; wherein the first integrated circuitry comprises at least one secure processing unit adapted to process the sensitive data, wherein the first integrated circuitry is separated from the second integrated circuitry; the processing unit of the first integrated circuitry is adapted to transfer the sensitive data from the first trust zone to the second trust zone to securely store said sensitive data in the persistent memory area of the second trust zone; the second integrated circuitry is adapted to transfer the sensitive data stored in the persistent memory area to the processing unit of the first trust zone; and wherein the first integrated circuitry comprises a first cryptographic engine to securely transfer the sensitive data based on the symmetrical crypto method using the active secure key which is replaceable by the new secure key generated by the second integrated circuitry after power up.

14. The gambling machine according to claim 13 , wherein the processing unit of the first integrated circuitry is configured to control the gambling machine, and the sensitive data stored in the persistent memory area of the second integrated circuitry include at least one transaction number which is used by the processing unit to validate book keeping data, wherein the processing unit comprises a transaction number generator for generating a transaction number after each game or an event which leads to a change of game related information.